Web Application Pentest Lab setup Using Docker

For web application penetration practice, we all look for vulnerable applications like DVWA and attempt to configure vulnerable practice environments. As we all know, it’s time consuming activity and it takes a lot of effort, but this can be done in a couple of minutes with the help of the docker.

In this post you will learn how to configure vulnerable web applications (DVWA, BWAPP & etc) with the help of docker.

Table of Content

  • Requirement
  • Objective
  • Web application
  • DVWA
  • Mutillidae
  • bWAPP
  • Another Method

Requirement-Ubuntu 18.0

Objective:

Configure web application server on docker

Web Application

A web application is a remote server software application. In general, web browsers are used through a network, such as an internet, to access Web applications. Like a software program running on a desktop or desktop application, the Web-app permits interaction with the user and can be designed for a wide range of applications.

Docker

Docker is a third-party tool developed to create an isolated environment to execute any application. These applications are run using containers. These containers are unique because they bring together all the dependencies of an application into a single package and deploy it.  Now, to work with docker you will need to install docker-engine in your host.

Run following the command to install docker:

Then execute the following command to activate docker

And we have installed docker version 18.09.7 in our local machine.

Configure DVWA on Docker

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled classroom environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

To install and configure DVWA through docker is quite simple then manual approach, you can search for its docker image directly by typing following command on the terminal.

Here you can observe that it has shown the docker image for dvwa as per given rating and even you can search for the same over the internet. You will obtain the same output as shown below.

Now we can directly pull the package by executing the following command:

And then to start docker service for dvwa; enter below command in your terminal.

Good! We have successfully configured the dvwa lab in ubuntu as we can see that we are welcomed by the login page.

Enter the following URL and click on Create/Reset Database.

Once the database will get create you can login into application to access the web console.

And we have our DVWA application ready for use, thus we can see it required very less effort.

Configure Mutillidae on Docker

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

Similarly, we can run mutillidae using docker without wasting much time in manual configuration. Repeat the same step as done before, first pull the package and then use the docker to start mutillidae over a specific port.

This time we had chosen port 1137 to launch the mutillidae application. Thus, we will open this our local browser by the following URL: localhost:1337 where we will find an option of reset database. Just click on it to reset the database.

Configure WebGoat on Docker

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

Similarly, we can run WebGoat using docker without wasting much time in manual configuration. Repeat the same step as done before, first pull the package and then use the docker to start WebGoat over a specific port.

To access the webgoat application run following URL in the web browser.

Configure bWAPP on Docker

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

Repeat the same approach and execute following command to pull its docker image.

then use the docker to start WebGoat over a specific port.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Enter the credential bee:bug and get access of the web console.

Now you can start working on bWAPP.

Another Method

We can use PentestLab Management Script because this script uses docker and hosts alias to make web apps available on localhost” and it can pull the following applications.

  • bWAPP
  • WebGoat 7.1
  • WebGoat 8.0
  • Damn Vulnerable Web App
  • Mutillidae II
  • OWASP Juice Shop
  • WPScan Vulnerable WordPress
  • OpenDNS Security Ninjas
  • Altoro Mutual

Install and configure PentestLab Management Script

To checklist of a web application, use list option along with the script.

To start the web application, just write the name of web application after executable script as shown here.

Execute the following URL to browse the web application.

Conclusion:

Vulnerable web application lab set-up using docker is very easy and fast as compared to other approaches. A pen-tester can easily set up his/her own vulnerable lab using docker in a very short period of time.

Hope you liked this technique to web application configuration.

Happy Hacking!!

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

WordPress: Reverse Shell

This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our local machine but if you want to learn WordPress installation and configuration then visit the link given below.

https://www.hackingarticles.in/wordpress-penetration-testing-lab-setup-in-ubuntu/

As we all know wpscan is a standalone tool for identifying vulnerable plugins and themes of WordPress, but in this post, we are not talking wpscan tutorial.

Table of Content

  • Metasploit Framework
  • Injecting Malicious code in WP_Theme
  • Upload Vulnerable WP_Pulgin
  • Inject Malicious Plugin

Requirement:

Host machine: WordPress

Attacker machine: Kali Linux

WordPress Credential: admin: admin (in our case)

Let’s begin!!

As you can observe that I have access of WordPress admin console over the web browser, for obtaining web shell we need to exploit this CMS. There are multiple methods to exploit WordPress, let’s go for some operations.

Metasploit Framework

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

Great!! It works wonderfully and you can see that we have owned the reverse connection of the web server via meterpreter session.

Injecting Malicious code in WP_Theme

There’s also a second technique that lets you spawn web server shells. If you have a username and password for the administrator, log in to the admin panel and inject malicious PHP code as a wordpress theme.

Login into WP_dashboard and explore the appearance tab.

Now go for theme twenty fifteen chose the templet into 404.php

You see a text area for editing templet, inject your malicious php code here to obtain reverse connection of the webserver.

Now, to proceed further, we used the reverse shell of PHP (By Penetstmonkey). And then we copied the above php-reverse-shell and paste it into the 404.php wordpress template as shown in the picture below. We have altered the IP address to our present IP address and entered any port you want and started the netcat listener to get the reverse connection.

 

Update the file and browse the following URL to run the injected php code.

you will have your session upon execution of 404.php file. Access netcat using the following command:

Upload Vulnerable WP_Plugin

Some time logon users do not own writable authorization to make modifications to the WordPress theme, so we choose “Inject WP pulgin malicious” as an alternative strategy to acquiring a web shell.

So, once you have access to a WordPress dashboard, you can attempt installing a malicious plugin. Here I’ve already downloaded the vulnerable plugin from exploit db.

Click here to download the plugin for practice.

Since we have zip file for plugin and now it’s time to upload the plugin.

Dashboard > plugins > upload plugin

Browse the downloaded zip file as shown.

Once the package gets installed successfully, we need to activate the plugin.

When everything is well setup then go for exploiting. Since we have installed vulnerable plugin named “reflex-gallery” and it is easily exploitable.

You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:

As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.

Inject Malicious Plugin

As you have seen above that we have uploaded the vulnerable plugin whose exploit is available. But this time we are going to inject our generated malicious plugin for obtain reverse shell.

This is quite simple as we have saved malicious code for reverse shell inside a php file named “revshell.php” and compressed the file in zip format.

Again, repeat the same step as done above for uploading plugin “revshell.zip” file and start netcat listener to obtain the reverse connection of the target machine.

Once the package gets installed successfully, we need to activate the plugin.

As soon as you will activate the plugin it will through the reverse connection as netcat session.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Web Shells Penetration Testing

This post will describe the various PHP web Shell uploading technique to take unauthorized access of the webserver by injecting a malicious piece of code that are written in PHP.

Table of Content

  • Introduction of PHP Web shells
  • Inbuilt Kali’s web shells
    • simple backdoor.php
    • qsd-php backdoor web shell
    • php-reverse-shell.php
  • Using MSF venom
  • Weevely php web shell
  • PHP_bash web shell

Requirements

Attacker: Kali Linux

Target: Web for Pentester, DVWA

Introduction of PHP Web Shells

Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server.

The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file. Today we are going to explore all kinds of php web shells what-so-ever are available in Kali Linux and so on. So, let’s get started.

Kali Linux has inbuilt PHP Scripts for utilizing them as a backdoor to assist Pen-testing work. They are stored inside /usr/share/webshells/php and a pen-tester can directory make use of them without wasting time in writing PHP code for the malicious script.

  • simple backdoor.php
  • qsd-php backdoor web shell
  • php-reverse-shell.php

Simplebackdoor.php shell

Simple-backdoor.php is a kind of web shell that can generate a remote code execution once injected in the web server and script made by “John Troon”. It is already accessible in Kali in the/usr/share/web shells/php folder as shown in the pic below and after that, we will run ls -al command to check the permissions given to the files.

Now you must discover a way to upload a shell in your application. As we have to do all this Web for Pentesters, so we will first try to upload here simple backdoor php shell which is already available in kali and click on send the file to upload the shell.

As you can see, we have successfully uploaded the malicious php file and received the hyperlink for the uploaded file.

Thus, we try to access simple-backdoor.php and obtain the following output. As we can observe that here “cmd=cat+/etc/passwd” is a clear indication for Remote code execution.

 

So, let’s try and run cat+/etc/passwd to retrieve all the passwords of the server.

As a result, we have extracted all records of passwd file, hence we can execute any command such as ls, cp and so on therefore we can obtain web shell by exploiting REC.

 

qsd-php backdoor shell

An exploit of a web shell generally considered as a backdoor that enables an attacker to access and control a server remotely and the qsd-php backdoor shell is a kind of backdoor which provides a platform for executing system command and the wonderful script made by “Daniel Berliner”.

As you can see, we have uploaded the qsd-php-backdoor.php file successfully.

Then try accessing qsd-php-backdoor.php as you did in the previous step and you will find something as shown in the image below. Here you can perform directory traversal and you can also access the Web Server directory directly by entering the command and clicking on the go button.

As you can observe we have accessed the current directory directly without executing any system command.

We can also execute arbitrary system command since this backdoor provides a platform to execute the shell command such cat/etc/passwd, ls -al and much more. We can also run two commands simultaneously and see the result.

As you can see that we have got the result successfully.

PHP-reverse shell

Now its turn to move towards our next php web shell which is php-reverse-shell.php which will open an outbound TCP connection from the webserver to a host and script made by “pentestmonkey”. A shell will be attached to the TCP connection (reverse TCP connection). You can run interactive programs such as telnet, ssh etc with this script. It is different from the other Web shells script, through which you can send a single command and then return the output.

For this, we need to open this script through nano

Here we need to give the LISTEN_IP (Kali Linux) where we want the connection and LISTEN_PORT number can be set any.

 Now we need to upload this web shell in order to get the reverse connection. So, we will upload the malicious file and on the other hand start netcat listener inside a new terminal.

We can see that it is uploaded successfully.

Now as soon as you will execute the uploaded file and If all went well, then, the webserver should have thrown back a reverse shell to your netcat listener. And you can verify that we have got the shell successfully.

PHP Backdoor using MSFvenom 

We can also generate a php web shell with the help of msfvenom. We, therefore, write use msfvenom following command for generating malicious php code in raw format.

Then copy the code and save it by the name of meter.php

Now we will upload this malicious shell in DVWA lab to get the reverse connection. Now you can see the “meter.php successfully uploaded” message from the screenshot, meaning that our php backdoor is effectively uploaded.

In order to execute the shell, we will open the URL of DVWA.

Simultaneously we will start multi handler where we will get the meterpreter shell and we will run the following commands where we need to specify the lhost and lport to get the reverse connection.

As soon as you will explore the uploaded path and execute the backdoor, it will give you a meterpreter session.

Weevely Shell

Weevely is a stealthy PHP internet shell which simulates the link to Telnet and is designed for remote server administration and penetration testing. It can be used as a stealth backdoor a web shell to manage legit web accounts, it is an essential tool for web application post-exploitation. We can generate a PHP backdoor protected with the password.

Open the terminal and type weevely to generate a php backdoor and also set a password as in our case we have taken “raj123” and save this web shell as weevely.php

Now upload this web shell at the target location as in our case we have uploaded it at Web for pen testers and we will open the URL in the browser to execute the web shell.

Type the following instruction to initiate the webserver attack and put a copied URL into the Weevely command using password raj123 and you can see that we have got the victim shell through weevely. We can verify this by id command.

You can also check all the functionality of weevely through help command.

PHPbash shell

Phpbash is an internet shell that is autonomous, semi-interactive. We are going to download it from GitHub and then we will go inside the directory phpbash and execute ls -al command to check the available files.

So inside phpbash, we found a php script named “phpbash.php”, upload this script at your target location.

Now we will upload this web shell in DVWA lab and we can see the message that it is uploaded successfully.

Going ahead; we will open the URL to execute the shell.

Here our phpbash malicious file is executed and given the web shell. The benefit of the phpbash is that it doesn’t require any type of listener such as netcat because it has inbuilt bash shell that you can observe from the given image.

As a result, we have bash shell of www-data and we can execute system command directly through this platform.

So, this way we have explored and performed numerous ways to get the web shell through php web shells; which you can find under this single article.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Hack the Box Challenge: Baniston Walkthrough

Today we are going to solve another CTF challenge called “Baniston” which is categorized as a retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Penetration Testing Methodology

  • Network Scanning
    • Open Port & Services (Nmap)
  • Enumeration
    • Connecting to SMB
    • Enumerating SMB
    • Mounting Backups
  • Exploitation
    • Getting SAM file
    • Cracking SAM file contents
    • Getting User Flag
  • Privilege Escalation
    • Enumerating mRemoteNG
    • Cracking mRemoteNG encrypted password
    • Capture Root Flag

Walkthrough

Network Scanning

Since these labs are online, therefore they have static IP. The IP of Baiston is 10.10.10.134 so let’s start with nmap port enumeration.

From the given image below, we can observe that we found ports 22, 135, 139, 445 are open. This means the services like ssh, MSRP, smb etc are running in the victim’s network.

Enumeration

As we can clearly note form the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on SMB. We logged in using the command mentioned. There is a list of shared directories. We tried a bunch of them but only Backups seems to be accessible. We enumerated that directory. We find a notes.txt, a temp file, and a directory named WindowsImageBackup. Let’s transfer the notes.txt file on our machine to read its contents.

After transferring the file, we went back on our kali shell and read the file using the cat command.

It contained the message that might be a hint. Let’s keep it in mind and enumerate further.

“Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.”

We went back to the smb, in order to look at the directory we found earlier. It contained another directory with the name of the system, L4mpje, we went into that directory as well to find a Backup directory. Here we found some vhd images. On close inspection, we found that these are system backup files.

The note said that trying to download them will take a very long time, we decided that mounting them is the way to go. To do this we are going to create these directories as shown in the image.

Now for the mounting of those backups, we are going to use the CIFS protocol followed by the path of the backup folder, with an anonymous user.

Now using the qemu-nbd we will mount the specific vhd backup file. After mounting we went into the vhd directory to see the files that the backup contained.

We enumerated around for a while and finally, we went into the System32 directory to find a config directory. Here we found the SAM and the SYSTEM file.

Exploitation

Now we have to extract the credentials from these two files. To do that we are going to use samdump script. After running, we got the following hashes. Two of these users are disabled.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfeed16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfeed16ae931b73c59d7e0c089c0:::

L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

We cracked the hash online to find the password for the user L4mpje to be bureaulampje.

Now we will login into the lab using the ssh while using the username l4mpje and the password bureaulampje. After logging in we traversed to the Desktop of the user to read the user.txt flag

Privilege Escalation

Now it’s time to escalate privileges on the lab. We enumerated the user directory to look into the AppData directory. Here inside the Roaming directory, we saw that mRemoteNG is installed on the machine. We got some XML files inside it. We tried to open them using the type command to find an encoded password.  

Password: aEWNFV5uGcjUHFOuS17QTdT9kVqtKCPeoCONw5dmaPFjNO2kt/z05xDgE4HdVmHAowVRdC7emf7lWWAlOdOKiw==

Now, we headed to Google to find any way to decrypt this encoded text, we found this mRemoteNG-Decrypt script for decrypting our password. We cloned the git to our system and ran the python script with the encoded text as a parameter. The password came out to be:

Password: thXLHM96BeKLOER2

Now we will get the ssh as administrator user with our decoded password.

Now let’s enumerate the final flag. We found the root flag on the Desktop.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here